Data processing agreement (DPA)

A data processing agreement (DPA) governs, under Article 28 of the GDPR, how a service provider processes personal data on behalf of a company.

What is a data processing agreement (DPA)?

A data processing agreement (DPA, German Auftragsverarbeitungsvertrag / AVV) is a contract required under Article 28 of the GDPR. It governs how a service provider processes personal data on behalf of a company.

When do you need a DPA?

Whenever an external service provider processes personal data on your behalf, such as a cloud provider. The commissioning company remains responsible towards the data subjects.

What must a DPA contain?

  • Subject matter, duration and purpose of processing
  • Type of data and categories of data subjects
  • Technical and organisational measures
  • Rules on sub-processors and deletion

How SecureCloud provides the DPA

SecureCloud provides a DPA as part of the offering and processes data GDPR-compliantly in Germany. This lets companies meet their obligations as controllers demonstrably.

Frequently asked questions

Is a DPA mandatory?

Yes. As soon as a service provider processes personal data on your behalf, a data processing agreement under Article 28 of the GDPR is required.

Who is responsible under a DPA?

The commissioning company remains the controller under the GDPR. The service provider is the processor and acts on instructions.

Does SecureCloud offer a DPA?

Yes. A data processing agreement is part of the SecureCloud offering.

Erfahren Sie mehr!

Unsere Experten beantworten Ihnen gerne alle Fragen.

Elevating business.